Daniel Polly, vice president, enterprise information security officer, First Financial Bank
Daniel Polly, vice president, enterprise information security officer, First Financial Bank

As information security practitioners, we often address changing circumstances. We tackle complex problems, respond to incidents and operational issues, support company initiatives and projects, and more – all while balancing the daily responsibilities built into our position. And no role within a security team – management, engineering, compliance, administration – is immune. These positions are all varied and challenging.

So it should come as no surprise that we frequently fall back on conventional wisdom and dogma, allowing that reliance to influence how we design, engineer and implement security solutions. This is a snare that's easy to fall into and hard to escape. Why? Because we are extremely busy and following established presumptions is effortless. Sometimes, we may worry that we'll appear uninformed if we ask questions. But, when we replace understanding with assumption, we limit our ability to devise innovative solutions to new or long-standing problems. 

For example, have you ever inherited a particular security policy and wondered why it restricted certain behaviors or system settings? Was this restriction legitimate or just something passed down as undisputed truth? Even if it was a genuine necessity at some point, has that time passed? Make no mistake: security governance is a good thing. Clear, relevant policies are important. But policies lacking credibility and defensibility must be classified as dogma. So when dealing with such a policy, do we take the easy path and just pass it on? Or do we research the history of the policy, ask questions, examine the biases and conclusions of its author, identify assumptions and then look for evidence to support or challenge the logic behind the policy? Active security thinking ensures that we don't simply perpetuate security folklore; it delivers valuable direction in not only security policy review and development, but also product procurement, security design, third-party risk assessment, etc. 

“Don't be trapped by dogma – which is living with the results of other people's thinking.”

                                    – Steve Jobs

We can elevate our performance as security professionals by becoming “security thinkers.” When we combine our creativity and intuition with a disciplined thought process, we are able to avoid dogma and, more importantly, perceive surrounding issues more clearly in order to identify the best path forward.

How do we do this? We must be prepared to reason and base decisions on the evidence, starting with the basics:

  • Strive to understand the root cause of a problem
  • Approach issues with humility, realizing that we can't know everything
  • Ask questions
  • Listen to others, but recognize when an incentive or bias is in play (including our own)
  • Deal in facts, not just a presumption based on subjective history
  • Engage in continuous learning

At first glance, these methods may appear simple (and they are), but their true value lies in consistent application. As with any skill practiced regularly, execution will become more refined and the results more reliable. As we work this way, reaping the benefits, we'll soon realize that reliance on conventional wisdom, dogma and folklore is a second-rate alternative to what we can accomplish.